Last week, German media outlet Heise Security first reported that there is another round of Meltdown and Spectre-like flaws that will need fixing in Intel chips. The flaws are collectively being referred to as "Spectre: The Next Generation."

The first trio of Meltdown and Spectre flaws came to light on Jan. 3. They involve speculative execution, a CPU optimization technique that's widely used in modern processors. But the functionality, which is physically built into processors, can be targeted via a trio of "side-channel attacks" to trigger information leaks (see Intel Faces 32 Spectre/Meltdown Lawsuits).

Intel, AMD and ARM say they first learned of the flaws in June 2017, thanks to a Google research team. The flaws are present in billions of devices made over the past 20 years.

Chipmakers have begun shipping fixes for chips manufactured in recent years, although not all of the flaws can be fully eradicated in all chips, and some fixes have introduced new problems, including the need for frequent rebooting (see Intel: Stop Installing Patches Due to Reboot Problems).

8 New Flaws

Heise has reported that there are eight new flaws, four of which are high risk and one of which poses a much greater danger than any of the three Spectre/Meltdown flaws that have already come to light.

On Monday, Heise reported that Intel has been planning for a coordinated vulnerability announcement with Google Project Zero - and perhaps others - on May 21, although it's attempting to delay it until at least July 10. It's not clear if any other chipmakers might be affected.

Heise reports that the new flaws affect a range of chips used across PCs, laptops, severs, smartphones, tablets and embedded devices. Affected chips include Intel Core i - and Xeon derivatives - built since they were first released in 2010, as well as Atom-based Pentium, Celeron and Atom processors built since 2013. All affected chips will require microcode updates, and operating systems will also need to be updated, according to the report.

An Intel spokeswoman declined to comment on the report or a potential coordinated vulnerability disclosure timeline. Instead, she referred me to a statement released on Thursday by Leslie Culbertson, Intel's general manager of product assurance and security:

"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."

In short: Stay tuned.

Follows 'AMD Flaws' Disclosure

News of the eight fresh flaws follows an Israeli firm, CTS, issuing a website and white paper on "AMD Flaws," outlining 13 problems it says it found in AMD's Zen processors, including EPYC, Ryzen, Ryzen Pro and Ryzen Mobile.

Controversially, the company said that while it stood by its research, "we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

Cold, Hard Cash for Finding Flaws

Security experts have been predicting that as more Ph.D. students, nation-state attackers, computer scientists and information security researchers begin hammering away at microprocessor security, it's only a matter of time before new chip-level flaws come to light (see Expect More Cybersecurity 'Meltdowns').

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.